Infini Suffers $49M Exploit in Stablecoin Heist

Stablecoin Bank Infini has suffered a security breach that resulted in the theft of over $49 million in USDC.

On-chain tracking platforms identified that the attack happened due to an exploiter misusing retained administrative privileges.

Ex-Developer Behind the Hack

CertiK was the first to detect unusual activity on February 24, reporting unauthorized fund transfers from an Infini-associated contract on Ethereum.

Lookonchain later confirmed that the hacker stole 49.5 million USDC from the platform before converting the entire amount into 49.5 million DAI, an Ethereum-based stablecoin. The attacker then used the converted DAI to acquire 17,696 ETH, which was then moved to a newly created wallet 0xfcc8…6e49.

Cyvers Alerts revealed that the bad actor behind the incident, operating from address 0xc49b…3e1, was a developer who had originally worked on the contract for Infini.

Although the project was completed and handed over, the individual secretly retained administrative control. Over 100 days later, they funded their wallet using Tornado Cash, conducted a small ETH transaction to cover gas fees, and then exploited the system.

PeckShield Alert provided a different explanation, suggesting that a private key leak was to blame for the security breach. However, Infini founder Christian Li dismissed concerns that his private key had been compromised. Admitting to previous oversights in transferring control, he took full responsibility for the situation, acknowledging it as a wake-up call.

Meanwhile, another co-founder, Christine, assured customers that the company would compensate them for lost funds, stating that Infini had sufficient resources to cover the losses.

Founded in 2024, the digital-only neobank connects traditional banking and cryptocurrency finance. It offers stablecoin transactions, yield-generating accounts, and other banking services through its mobile platform.

A Broader Issue

The Infini hack is the latest in a series of high-profile breaches affecting the crypto sector. Just days earlier, on February 21, crypto exchange Bybit was targeted in a $1.5 billion exploit, marking the largest thefts in the industry’s history.

CEO Ben Zhou confirmed that the attack resulted in the loss of most of Bybit’s ETH holdings. The breach saw more than 400,000 Ether suspiciously leave the exchange’s wallet before being quickly swapped, converting staked mETH and stETH tokens into ETH.

The exchange has been working with blockchain security firms to recover the stolen assets, launching a $140 million bounty to incentivize assistance. Blockchain investigator ZachXBT has since identified the North Korean hacker group Lazarus as the likely attacker behind the incident